Total
2402 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-2802 | 1 Mozilla | 2 Firefox, Thunderbird | 2026-04-15 | 4.2 Medium |
| Race condition in the JavaScript: GC component. This vulnerability was fixed in Firefox 148 and Thunderbird 148. | ||||
| CVE-2026-28549 | 1 Huawei | 1 Harmonyos | 2026-04-15 | 6.6 Medium |
| Race condition vulnerability in the permission management service. Impact: Successful exploitation of this vulnerability may affect availability. | ||||
| CVE-2026-32887 | 2 Effect Project, Effectful | 2 Effect, Effect | 2026-04-15 | 7.4 High |
| Effect is a TypeScript framework that consists of several packages that work together to help build TypeScript applications. Prior to version 3.20.0, when using `RpcServer.toWebHandler` (or `HttpApp.toWebHandlerRuntime`) inside a Next.js App Router route handler, any Node.js `AsyncLocalStorage`-dependent API called from within an Effect fiber can read another concurrent request's context — or no context at all. Under production traffic, `auth()` from `@clerk/nextjs/server` returns a different user's session. Version 3.20.0 contains a fix for the issue. | ||||
| CVE-2026-34849 | 1 Huawei | 1 Harmonyos | 2026-04-15 | 2.5 Low |
| UAF vulnerability in the screen management module. Impact: Successful exploitation of this vulnerability may affect availability. | ||||
| CVE-2024-0397 | 2 Python Software Foundation, Redhat | 2 Cpython, Enterprise Linux | 2026-04-15 | 7.4 High |
| A defect was discovered in the Python “ssl” module where there is a memory race condition with the ssl.SSLContext methods “cert_store_stats()” and “get_ca_certs()”. The race condition can be triggered if the methods are called at the same time as certificates are loaded into the SSLContext, such as during the TLS handshake with a certificate directory configured. This issue is fixed in CPython 3.10.14, 3.11.9, 3.12.3, and 3.13.0a5. | ||||
| CVE-2023-51779 | 2 Linux, Redhat | 6 Kernel, Enterprise Linux, Rhel Aus and 3 more | 2026-04-15 | 7 High |
| bt_sock_recvmsg in net/bluetooth/af_bluetooth.c in the Linux kernel through 6.6.8 has a use-after-free because of a bt_sock_ioctl race condition. | ||||
| CVE-2025-10216 | 1 Grandnode | 1 Grandnode | 2026-04-15 | 2.6 Low |
| A vulnerability was detected in GrandNode up to 2.3.0. The impacted element is an unknown function of the file /checkout/ConfirmOrder/ of the component Voucher Handler. The manipulation of the argument giftvouchercouponcode results in race condition. The attack may be launched remotely. The attack requires a high level of complexity. The exploitability is regarded as difficult. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-53476 | 1 Simplcommerce | 1 Simplcommerce | 2026-04-15 | 5.9 Medium |
| A race condition vulnerability in SimplCommerce at commit 230310c8d7a0408569b292c5a805c459d47a1d8f allows attackers to bypass inventory restrictions by simultaneously submitting purchase requests from multiple accounts for the same product. This can lead to overselling when stock is limited, as the system fails to accurately track inventory under high concurrency, resulting in potential loss and unfulfilled orders. | ||||
| CVE-2025-54955 | 1 Opennebula | 1 Opennebula | 2026-04-15 | 8.1 High |
| OpenNebula Community Edition (CE) before 7.0.0 and Enterprise Edition (EE) before 6.10.3 have a critical FireEdge race condition that can lead to full account takeover. By exploiting this, an unauthenticated attacker can obtain a valid JSON Web Token (JWT) belonging to a legitimate user without knowledge of their credentials. | ||||
| CVE-2024-29863 | 2026-04-15 | 7.8 High | ||
| A race condition in the installer executable in Qlik Qlikview before versions May 2022 SR3 (12.70.20300) and May 2023 SR2 (12,80.20200) may allow an existing lower privileged user to cause code to be executed in the context of a Windows Administrator. | ||||
| CVE-2023-48366 | 2026-04-15 | 5.3 Medium | ||
| Race condition in some Intel(R) System Security Report and System Resources Defense firmware may allow a privileged user to potentially enable information disclosure via local access. | ||||
| CVE-2025-37088 | 2026-04-15 | 6.8 Medium | ||
| A security vulnerability has been identified in HPE Cray Data Virtualization Service (DVS). Depending on race conditions and configuration, this vulnerability may lead to local/cluster unauthorized access. | ||||
| CVE-2025-0372 | 2026-04-15 | N/A | ||
| Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability in HYPR Passwordless on Windows allows Privilege Escalation.This issue affects HYPR Passwordless: before 10.1. | ||||
| CVE-2025-46613 | 1 Openplcproject | 1 Openplc | 2026-04-15 | 7.5 High |
| OpenPLC 3 through 64f9c11 has server.cpp Memory Corruption because a thread may access handleConnections arguments after the parent stack frame becomes unavailable. | ||||
| CVE-2024-47534 | 1 Theupdateframework | 1 Go-tuf | 2026-04-15 | 5.3 Medium |
| go-tuf is a Go implementation of The Update Framework (TUF). The go-tuf client inconsistently traces the delegations. For example, if targets delegate to "A", and to "B", and "B" delegates to "C", then the client should trace the delegations in the order "A" then "B" then "C" but it may incorrectly trace the delegations "B"->"C"->"A". This vulnerability is fixed in 2.0.1. | ||||
| CVE-2024-12747 | 1 Redhat | 3 Discovery, Enterprise Linux, Openshift | 2026-04-15 | 5.6 Medium |
| A flaw was found in rsync. This vulnerability arises from a race condition during rsync's handling of symbolic links. Rsync's default behavior when encountering symbolic links is to skip them. If an attacker replaced a regular file with a symbolic link at the right time, it was possible to bypass the default behavior and traverse symbolic links. Depending on the privileges of the rsync process, an attacker could leak sensitive information, potentially leading to privilege escalation. | ||||
| CVE-2025-59052 | 1 Angular | 1 Angular | 2026-04-15 | 7.1 High |
| Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Angular uses a DI container (the "platform injector") to hold request-specific state during server-side rendering. For historical reasons, the container was stored as a JavaScript module-scoped global variable. When multiple requests are processed concurrently, they could inadvertently share or overwrite the global injector state. In practical terms, this can lead to one request responding with data meant for a completely different request, leaking data or tokens included on the rendered page or in response headers. As long as an attacker had network access to send any traffic that received a rendered response, they may have been able to send a large number of requests and then inspect the responses for information leaks. The APIs `bootstrapApplication`, `getPlatform`, and `destroyPlatform` were vulnerable and required SSR-only breaking changes. The issue has been patched in all active release lines as well as in the v21 prerelease. Patched packages include `@angular/platform-server` 21.0.0-next.3, 20.3.0, 19.2.15, and 18.2.14 and `@angular/ssr` 21.0.0-next.3, 20.3.0, 19.2.16, and 18.2.21. Several workarounds are available. Disable SSR via Server Routes or builder options, remove any asynchronous behavior from custom `bootstrap` functions, remove uses of `getPlatform()` in application code, and/or ensure that the server build defines `ngJitMode` as false. | ||||
| CVE-2024-36262 | 2026-04-15 | 7.2 High | ||
| Race condition in some Intel(R) System Security Report and System Resources Defense firmware may allow a privileged user to potentially enable escalation of privilege via local access. | ||||
| CVE-2024-2193 | 2 Amd, Xen | 2 Cpu, Xen | 2026-04-15 | 5.7 Medium |
| A Speculative Race Condition (SRC) vulnerability that impacts modern CPU architectures supporting speculative execution (related to Spectre V1) has been disclosed. An unauthenticated attacker can exploit this vulnerability to disclose arbitrary data from the CPU using race conditions to access the speculative executable code paths. | ||||
| CVE-2024-23599 | 2026-04-15 | 7.9 High | ||
| Race condition in Seamless Firmware Updates for some Intel(R) reference platforms may allow a privileged user to potentially enable denial of service via local access. | ||||